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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )I3 Responsive to communication(s) filed on 22 October 2007 . 
2a)Q This action is FINAL. 2b)[X] This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) E3 Claim(s) 24-46 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |S Claim(s) 24-46 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)Q The drawing(s) filed on is/are: a)Q accepted or b)Q objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-1 52. 

Priority under 35 U.S.C. § 119 

12)Q Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 0 Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .1 7(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
10/22/2007 has been entered. 

Response to Arguments 

2. Claims 24 - 46 are pending in this Office Action, after a further search and a 
thorough examination of the present application, the claims 24 - 46 remain rejected. 
The claim objections to claims 24 - 46 are withdrawn in view of the amendment. 

3. Applicant's arguments filed with respect to claims have been fully considered but 
they are not persuasive. The rejection is maintained and citations are proved in the 
rejection below. 

Applicant argues that Williams does not disclose the documenting, accommodating the 
live process, compliance and security testing. 

Examiner respectfully disagrees and states that Williams teaches the 
documenting in other words reporting of the live process which includes accommodating 
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it in paragraphs 148, 151 and 153 of Williams. Furthermore Williams teaches the 
compliance and security testing in paragraph 91 . 



Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 

form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by 
the applicant for patent, except that an international application filed under the treaty defined in 
section 351(a) shall have the effects for purposes of this subsection of an application filed in the 
United States only if the international application designated the United States and was published 
under Article 21(2) of such treaty in the English language. 

5. Claims 24 - 46 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Williams et al. ('Williams' herein after) (US 2005/0015623 A1). 

With respect to claim 24, 

Williams discloses a method for effectively and efficiently identifying violations of 
privacy and security and guidelines in an information system while documenting and 
accommodating the live process of compliance and security testing (paragraphs 91 , 
148, 151 and 153), comprising the steps of : 

a. providing vulnerability data having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 

b. providing regulation data relating to a particular set of regulations (paragraphs 73 
and 166, Williams); 
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c. providing priority data relating to a list of vulnerabilities prioritized in a specific 
order (paragraph 212, Williams); 

d. providing keywords that are common to the vulnerability, regulation and priority 
data (paragraphs 0139 and 0141, Williams); 

e. searching for the keywords in the vulnerability, regulation and priority data 
(paragraphs 01 39 and 01 41 , Williams); 

f. creating relational data based upon the searching step, the relational data 
establishes a specific relationship between the vulnerability, regulation and 
priority data (paragraphs 0053 and 0136 - 0137, Williams); 

g. determining a computer configuration for a target to be tested (paragraphs 56 
and 103, Williams); 

h. customizing a screening process for the target using the computer configuration 
found in the determining step (paragraphs 57 and 99, Williams); 

i. testing for vulnerability violations in the target based upon the customized 
screening process (paragraphs 92 - 93 and 135, Williams); 

j. determining, according to the vulnerability violations, which regulation data 
applies to which vulnerability data and the priority of the vulnerability violations 
(Figures 2 and 3, Williams); and 

k. creating a prioritized report corresponding to the vulnerability violations and the 
regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 
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With respect to claim 25, 

Williams discloses the method of claim 24 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 

With respect to claim 26, 

Williams discloses the method of claim 24 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 27, 

Williams discloses the method of claim 24 wherein the vulnerability violations are 
stored in a memory (paragraph 147, Williams). 

With respect to claim 28, 

Williams discloses the method of claim 24 wherein the testing step further 
comprises scanning a target to provide a system scan (paragraphs 0109, Williams). 

With respect to claim 29, 

Williams discloses the method of claim 28 further comprising the step of 
providing a test set as a function of the system scan (paragraphs 01 1 1 - 01 12, 
Williams). 
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With respect to claim 30, 

Williams discloses the method of claim 24 the prioritized report further includes 
an IP address of the target (paragraph 0170, Williams). 

With respect to claim 31 , 

Williams discloses the method of claim 24 wherein the vulnerabilities data is 
defined by Common Vulnerabilities and Exposures (paragraph 0168, Williams). 

With respect to claim 32, 

Williams discloses a information system for effectively and efficiently identifying 
violations of privacy and security and guidelines while documenting and accommodating 
the live process of compliance and security testing (paragraphs 91 , 1 48, 1 51 and 1 53), 
comprising: 

a. a vulnerability database having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 

b. a regulation database relating to a particular set of regulations (paragraphs 73 
and 166, Williams); 

C. a priority database relating to a list of vulnerabilities prioritized in a specific order 

(paragraph 212, Williams); 
d. means for providing keywords that are common to the vulnerability, regulation 

and priority data (paragraphs 0139 and 0141, Williams); 
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e. searching means for searching for the keywords in the vulnerability, regulation 
and priority data (paragraphs 0139 and 0141, Williams); 

f . a memory for storing relational data that was created by the searching means, 
the relational data establishes a specific relationship between the vulnerability, 
regulation and priority databases (paragraphs 0053 and 0136 - 0137, Williams); 

g. first determining means for determining a computer configuration for a target to 
be tested (paragraphs 56 and 103, Williams); 

h. customizing means for customizing a screening process for the target using the 
computer configuration found in the first determining means (paragraphs 57 and 
99, Williams); 

i. testing means for testing for vulnerability violations in the target based upon the 
customized screening process (paragraphs 92 - 93 and 135, Williams); 

j. second determining means for determining, according to the vulnerability 
violations, which regulation data applies to which vulnerability data and the 
priority of the vulnerability violations (Figures 2 and 3, Williams); and 

k. a prioritized report corresponding to the vulnerability violations and the 

regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 

With respect to claim 33, 
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Williams discloses the system of claim 32 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 

With respect to claim 34, 

Williams discloses the system of claim 32 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 35, 

Williams discloses the system of claim 32 wherein the vulnerability violations are 
stored in a memory (paragraph 147, Williams). 

With respect to claim 36, 

Williams discloses the system of claim 32 wherein the testing means further 
comprises scanning a target to provide a system scan (paragraphs 0109, Williams). 

With respect to claim 37, 

Williams discloses the system of claim 36 further comprising a test set as a 
function of the system scan (paragraphs 01 1 1 - 01 12, Williams). 



With respect to claim 38, 
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Williams discloses the system of claim 32 wherein the prioritized report further 
includes an IP address of the target (paragraph 0170, Williams). 

With respect to claim 39, 

Williams discloses the system of claim 24 wherein the vulnerabilities data is 
defined by Common Vulnerabilities and Exposures (paragraph 0168, Williams). 

With respect to claim 40, 

Williams discloses the computer-executable process steps, stored on a computer- 
readable medium and executable by a processor to perform the steps of: 

a. document and accommodate a live process of compliance and security testing 
(paragraphs 91, 148, 151 and 153) 

b. provide vulnerability data having universal definitions applicable to different 
computing systems (paragraphs 54 and 70, Williams); 

c. provide regulation data relating to a particular set of regulations (paragraphs 73 
and 166, Williams); 

d. provide priority data relating to a list of vulnerabilities prioritized in a specific order 
(paragraph 21 2, Williams); 

e. provide keywords that are common to the vulnerability, regulation and priority 
data (paragraphs 0139 and 0141, Williams); 

f. search for the keywords in the vulnerability, regulation and priority data 
(paragraphs 01 39 and 01 41 , Williams); 
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g. create relational data based upon the search step, the relational data establishes 
a specific relationship between the vulnerability, regulation and priority data 
(paragraphs 0053 and 0136-0137, Williams); 

h. determine a computer configuration for a target to be tested (paragraphs 56 and 
103, Williams); 

i. customize a screening process for the target using the computer configuration 
found in the determine step (paragraphs 57 and 99, Williams); 

j. test for vulnerability violations in the target based upon the customized screening 

process (paragraphs 92 - 93 and 135, Williams); 
k. determine, according to the vulnerability violations, which regulation data applies 

to which vulnerability data and the priority of the vulnerability violations (Figures 2 

and 3, Williams); and 
I. create a prioritized report corresponding to the vulnerability violations and the 

regulations that apply to the vulnerability violations (Figures 2 and 3, Williams). 

With respect to claim 41 , 

Williams discloses the steps of claim 40 wherein the set of regulations are 
defined by Health Insurance Portability and Accountability Act (paragraph 0066, 
Williams). 



With respect to claim 42, 
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Williams discloses the steps of claim 40 wherein the set of regulations are 
defined by Graham Leach Bailey Act (paragraph 0066, Williams). 

With respect to claim 43, 

Williams discloses the steps of claim 40 wherein the test step further comprises 
scanning a target to provide a system scan (paragraphs 0109, Williams). 

With respect to claim 44, 

Williams discloses the steps of claim 43 further comprising the step of providing a 
test set as a function of the system scan (paragraphs 0111 - 01 1 2, Williams). 

With respect to claim 45, 

Williams discloses the steps of claim 40 wherein the prioritized report further 
includes an IP address of the target (paragraph 0170, Williams). 

With respect to claim 46, 

Williams discloses the steps of claim 40 wherein the vulnerabilities data is defined by 
Common Vulnerabilities and Exposures (paragraph 0168, Williams). 
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Contact Information 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Navneet K. Ahluwalia whose telephone number is 571- 
272-5636. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Alam T. Hosain can be reached on 571-272-3978. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Navneet K. Ahluwalia 

Examiner 

Art Unit 2166 



Dated: 11/23/2007 
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